Datatilsynet (Denmark) - 2021-423-0241
| Datatilsynet - 2021-423-0241 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | No Violation Found |
| Started: | |
| Decided: | |
| Published: | 31.08.2023 |
| Fine: | n/a |
| Parties: | Hedensted Kommune |
| National Case Number/Name: | 2021-423-0241 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | nho23 |
The Danish DPA found no violation of Article 32(1) GDPR in an investigation procedure conducted at a municipality, considering that the measures taken to prevent unintentional data breaches and mititage the risks in case of accidental disclosure were appropriate.
English Summary
Facts
In 2021 the Danish DPA has carried out inspections at several public authorities to see if they were complying with data protection rules. Among the inspected public authorities was Hedensted Kommune (Municipality of Hedensted). The inspection was due to the fact that the controller sent more notifications of data breaches than the national average.
The DPA carried out the inspection in 'written form', focusing especially on the implementation of Article 32(1) GDPR. On 21 June 2021, the DPA sent a letter to the controller notifying them about the investigation and formulating questions for them to answer. The controller was also asked to submit an example of how it instructed its employees.
On 9 August 2021, the controller submitted a statement with the relevant information to the DPA.
Holding
The DPA found no violation of Article 32(1) GDPR. The elements that the DPA took into account to exclude the existence of a GDPR infringement were the following.
In its reply, the controller stated that in case of data breach the people affected would be informed immediately via a phone call (where possible). Furthermore, the controller also emphasized that they put an effort to find the cause of the breach and to learn from their mistakes, especially discussing the accident directly with the employees involved. The DPA thus found that the controller was aware of the damage a breach can cause and willing to adopt sufficient remedial actions.
In order to prevent breaches, the controller also declared that they were continuously implementing new measures. If incidents recurred in a department, the DPO became involved in that department. From this perspective, the DPA observed that the controller took measures after data breaches happened in the past. For example, the controller set up a group that screened the access to documents before they were submitted in the context of an access request. The controller also implemented a scanning tool that could correctly blur documents containing personal data. In general, the DPA got the impression that the controller seriously committed to avoid further data breaches in the future.
Therefore, the DPA found that appropriate measures according to Article 32(1) GDPR have been taken.
Finally, the DPA found a decrease of notifications of data breaches from the controller since 22 June 2021.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Supervision of notification of breaches of personal data security Date: 31-08-2023 Decision Public authorities No criticism Supervision / self-operating case Notification of breach of personal data security The Danish Data Protection Authority has carried out 16 planned inspections with a focus on municipalities' and banks' handling of breaches of personal data security. The Norwegian Data Protection Authority found occasion to express criticism in two cases. Journal number: 2021-423-0241. Hedensted Municipality was among the public authorities that the Data Protection Authority had selected in the spring of 2021 to supervise according to the data protection regulation[1] and the data protection act[2]. The Danish Data Protection Authority's inspection was a written inspection which, among other things, focused on whether Hedensted Municipality had taken appropriate security measures in accordance with the data protection regulation, article 32, subsection 1, with a view to reducing the number of breaches of personal data security where unauthorized disclosure of personal data took place, including in relation to citizens with name and address protection. The inspection was notified to Hedensted Municipality by letter of 21 June 2021, and the municipality was requested on the same occasion to answer a number of questions and to send an example of an instruction to the municipality's employees on the handling of personal data, including in connection with the sending of information for e.g. citizens, authorities, etc. The Danish Data Protection Authority informed about the background for the inspection that, in a review of the Danish Data Protection Authority's cases regarding notifications of breaches of personal data security, it could be established that Hedensted Municipality had notified significantly more breaches of personal data security per inhabitant of the municipality than Denmark's other municipalities. The Norwegian Data Protection Authority noted in this connection that the higher number of notifications does not necessarily indicate that the municipality complies with the data protection rules to a lesser extent than municipalities that have significantly fewer notifications per year. inhabitant. By letter of 9 August 2021, Hedensted Municipality sent a statement in which the municipality responded to the Data Protection Authority's questions. The municipality's response also included examples of relevant procedures and guidelines. 1. Decision After a review of the submitted material, the Data Protection Authority finds, on the basis of the present data, that Hedensted Municipality has taken appropriate security measures in accordance with the data protection regulation, article 32, subsection 1, with a view to reducing the number of breaches of personal data security where unauthorized disclosure of personal data takes place, including in relation to citizens with name and address protection. Below follows a closer review of the information that has come to light in connection with the inspection, and a justification for the Data Protection Authority's decision. 2. Reason for the Data Protection Authority's decision This appears from the data protection regulation's article 32, subsection 1, that the data controller must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data. The data controller thus has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks. The Danish Data Protection Authority is of the opinion that the requirement cf. Article 32 for adequate security will normally entail that the data controller must ensure that information about registered users, including particularly confidential and sensitive personal data, does not come to the knowledge of unauthorized parties, and that the data controller in this connection, among other things, .a. must ensure that all employees in the organization are, to the extent necessary, familiar with any internal procedures for handling personal data, including in relation to sending personal data to e.g. citizens, authorities, etc., and that procedures, guidelines, workflows, technical security measures, etc. continuously updated or introduced, including as a result of detected breaches of personal data security. In the opinion of 9 August 2021, Hedensted Municipality has forwarded an example of an instruction to the municipality's employees regarding the transmission of personal data to, among others, citizens, authorities, etc. Hedensted Municipality has stated that consideration of the protection of name and address information is a natural part of the processing of personal data everywhere in the municipality. It is stated that it is implicit in the understanding of good data processing customs and behavior to ensure extra protection when name and address protection is desired. Should information about persons with name and address protection be inadvertently passed on, it will be dealt with quickly and always – if possible – trigger a telephone contact with those concerned. The municipality will also seek to find out the cause with a view to learning and thus avoid similar incidents. The municipality is therefore particularly aware that such a disclosure may lead to a potentially dangerous situation for those affected. The municipality has also stated that measures are being implemented on an ongoing basis to avoid repetition of breaches of personal data security where accidental disclosure occurs. In this connection, Hedensted Municipality has stated that specific incidents are discussed with the individual employee with a view to determining further measures that can prevent repeat cases. In the event of repetitions in a department, the municipality's data protection advisor is involved in a dialogue with the department to avoid future incidents. It also appears from the case that Hedensted Municipality has considered following past breaches of personal data security, where there has been an accidental disclosure of personal data. Based on the considerations, the municipality has continuously implemented organizational measures, such as to set up a group that screens access to documents before forwarding. Furthermore, the municipality has implemented technical measures, including the purchase of a scanning tool whose purpose is to properly obscure documents from personal data. Hedensted Municipality has also stated that the municipality continuously implements technical and organizational measures with a view to reducing the number of breaches of personal data security where personal data is inadvertently disclosed. This is – regardless of the fact that the Norwegian Data Protection Authority has not had the opportunity to take a concrete position on whether the municipality has been in dialogue with all relevant employees and departments, and that the Norwegian Data Protection Authority is not aware of the full content of all training material etc. - on the present basis, the supervisory authority's assessment that Hedensted Municipality has taken appropriate security measures in accordance with the data protection regulation, article 32, subsection 1, with a view to reducing the number of breaches of personal data security where unauthorized disclosure of personal data takes place, including in relation to citizens with name and address protection. In its assessment, the Danish Data Protection Authority has placed emphasis on the information provided by the municipality, including that procedures have been drawn up for the transmission of personal data to external parties, that the municipality has considered and introduced both technical and organizational measures in continuation of past breaches of personal data security in order to eliminate similar breaches, and that there is a strong focus on avoiding the accidental disclosure of name and address protected information. In a renewed review of the Authority's cases regarding notifications of breaches of personal data security, the Danish Data Protection Authority can ascertain that since 22 June 2021 there appears to have been a decrease in the number of reported breaches of personal data security from Hedensted Municipality. However, as a number of breaches of personal data security continue to be reported, where unauthorized disclosure of personal data has taken place, the Data Protection Authority recommends that the municipality continues to continuously focus on carrying out training and awareness activities, etc. as well as to ensure and that procedures, guidelines, workflows, technical safety measures, etc. continuously updated or introduced, including as a result of detected breaches of personal data security. In conclusion, the Danish Data Protection Authority notes that the supervisory authority – typically if the supervisory authority receives new notifications about breaches of personal data security – will be able to resume processing previously reported breaches or allow them to be included in the assessment of any future breaches or complaints. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general data protection regulation) [2] Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information. (Data Protection Act)
